Finally, Dragonfly is known for sending backdoors like Trojan.Heriplor and Trojan.Karagany.B as fake Flash updates or legitimate software that's been compromised to victims' inboxes.
"As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector.
"The stolen credentials were then used in follow-up attacks against the target organizations. In one instance, after a victim visited one of the compromised servers, Backdoor.Goodor was installed on their machine via PowerShell 11 days later. Backdoor.Goodor provides the attackers with remote access to the victim’s machine."
"The original Dragonfly campaigns now appear to have been a more exploratory phase where the attackers were simply trying to gain access to the networks of targeted organizations. The Dragonfly 2.0 campaigns show how the attackers may be entering into a new phase, with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future.Given the persistence of the Dragonfly 2.0 attack campaign, it's important that energy organizations take steps to protect themselves against digital threats. They should educate their employees about phishing attacks and consider segmenting their networks, for example. They should also look to leverage security controls to better defend their industrial control systems (ICS). Learn how Tripwire's products can ramp up your organization's ICS defense strategy here.
"The most concerning evidence of this is in their use of screen captures. In one particular instance the attackers used a clear format for naming the screen capture files, [machine description and location].[organization name]. The string 'cntrl' (control) is used in many of the machine descriptions, possibly indicating that these machines have access to operational systems."